The title seems like a simple enough concept, but when it comes to advanced threat protection, truer words were never written. This concept of visibility into your network, which in turn enables better protection and control of your network, is at the heart of Cisco’s Next-Generation Intrusion Prevention System (NGIPS). Visibility is what feeds critical capabilities in the solution and it’s also what sets our NGIPS apart from other IPS products.

In the coming weeks, we’ll focus on different aspects of our market-leading NGIPS solution, as recognized by third-party groups such as Gartner and NSS Labs, but since NGIPS is all about threat protection – and you can’t protect what you can’t see – let’s start with visibility.

Historically, IPS products have provided visibility into network packets to be able to identify and block network attacks. The last couple of years have seen next-generation firewalls get a lot of industry buzz by providing visibility (and subsequent control) into applications and users.

As of May 1, 2014, we can confirm Cisco customers have been targets of this attack. For the latest coverage information and additional details see our new post on the VRT blog.

Protecting company critical assets is a continuing challenge under normal threat conditions. The disclosure of zero-day exploits only makes the job of IT security engineers that much harder. When a new zero-day vulnerability was announced on April 26, 2014 for Microsoft Internet Explorer, corporate security organizations sprang into action assessing the potential risk and exposure, drafting remediation plans, and launching change packages to protect corporate assets.

Some companies however, rely on Managed Security Services to protect those same IT assets. As a Cisco Managed Security services customer, the action was taken to deploy updated IPS signatures to detect and protect the companies critical IT assets. In more detail, the IPS Signature team, as a member of the Microsoft Active Protections Program (MAPP), developed and released Cisco IPS signature 4256/0 in update S791 and Snort rules 30794 & 30803 were available in the ruleset dated 4-28-2014. The Cisco Managed Security team, including Managed Threat Defense, received the update as soon as it became available April 28th. Generally, Cisco Managed Security customers have new IPS signature packs applied during regularly scheduled maintenance windows. In the event of a zero-day, the managed security team reached out to customers proactively to advise them of the exploit and immediately were able to apply signature pack updates to detect and protect customer networks.

While corporate security organizations must still assess ongoing risks and direct overall remediations to protect corporate data, Cisco can take the actions to provide security visibility into the targeted attacks, increase protection with fresh signatures, and reduce risk profile for the corporate InfoSec program.

For more detail on the vulnerability, please see Martin Lee’s blog post.

More details about this exploit and mitigation information can be found on the following links:

Cloud services and SaaS applications is enabling customers to accelerate their business processes and improve employee productivity while lowering their total IT spending. The Cisco IWAN solution is helping organizations adopt cloud applications with an improved user experience by enabling local internet breakout from the branch environment, thus helping eliminate the need to backhaul internet-bound traffic across the WAN link. This helps provide the user improved experience through lower latency for not only internet applications, but also free up bandwidth for application on the WAN link. The reduced WAN link usage also means lower IT spending those links.

However, a study commissioned by Cisco during Jan’14 from 641 customers from US and Europe on their MPLS usage and adoption of local internet breakout found that 68% of the customers responded that enabling direct internet access was an organizational focus for them. However, 54% of the total respondents reported that lack of sufficient security at the branch environment hindered them from enabling local internet breakout at the branch. This was ranked as the #1 reason to not enable Direct Internet Access at branch sites.

The Cisco IPS Signature Development team has released 4 signature updates in the past week. Each of the updates contains either modifications to existing signatures or additional signatures for detection of attacks related to the OpenSSL Heartbleed issue. I’m going to take a moment to summarize the signature coverage.

To best utilize your Cisco IPS to protect against the OpenSSL Heartbleed issue:

Update your sensors to signature update pack S788.

Enable and activate sub-signatures /3 and /4 for signature 4187, leaving /0, /1, and /2 disabled and retired (by default, signature 4187 is disabled and retired across all sub-signatures).

Sub-signatures /3 and /4 are set at a severity of Informational and Low, respectively, and will not drop traffic by default. If after monitoring the sensor alerts, you are comfortable dropping traffic inline based on those alerts, you will need to add an action of “deny-packet” to each signature.

We are witnessing the growth of the Internet of Everything (IoE), the network of embedded physical objects accessed through the Internet, and it’s connecting new devices to the Internet which may not traditionally have been there before. Unfortunately, some of these devices may be deployed with a security posture that may need improvement.

Naturally when we saw a fewposts about multi-architecture malware focused on the “Internet of Things”, we decided to take a look. The issue being exploited in those posts is CVE-2012-1823, which has both an existing Cisco IPS signature as well as some for Snort. It turns out this vulnerability is actually quite heavily exploited by many different worms, and it took quite a bit of effort to exclude all of the alerts generated by other pieces of malware in Cisco IPS network participation. Due to the vulnerability-specific nature of the Cisco IPS signature, the same signature covers this issue as well as any others that use this technique; just one signature provides protection against all attempts to exploit this vulnerability. As you can see in the graph below this is a heavily exploited vulnerability. Note that these events are any attack attempting to exploit this issue, not necessarily just the Zollard worm.

The graph below is derived from both Cisco IPS and Sourcefire IPS customers. The Cisco data is from customers who have ‘opted-in’ to network participation. This service is not on by default. The Sourcefire data below is derived from their SPARK network of test sensors. This graph is showing the percent increase of alert volume from the normal for each dataset at the specified time.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.